Confi gure > firewall options 4.33 – Westermo MR Series User Manual

Page 111

background image

111

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > Firewall Options

4.33

This page contains the timer parameters and other options that are used by the Firewall stateful
inspection module. This module establishes temporary firewall rules that last for the duration of a
sin gle connection only. Typically, the first packet of a TCP connection (a SYN packet), is used to cre-
ate a stateful inspection rule that only allows subsequent packets for that TCP connection through
the fire wall. The timers described below are used to set limits on how long such rules may persist.

Using the Web Page(s)

The web page includes the following parameters:

Timers

TCP opening (s):

This specifies the length of time following receipt of a TCP packet that causes a stateful inspec-
tion rule to be created before a TCP connection must be established. If a TCP connection is not
estab lished within this period, the associated stateful inspection rule will be removed.

TCP open (s):

This parameter specifies the length of time that an established TCP connection may remain idle
before the stateful inspection rule created for it is removed. The timer is restarted each time a
packet is processed by the associated stateful inspection rule.

TCP closing (s):

This parameter specifies the length of time that is allowed for a TCP socket to close once the
first FIN packet has been received. If the timer elapses before the socket has completed closing
the associated stateful inspection rule is removed.

TCP closed (s):

This parameter specifies the length of time that a stateful inspection rule will remain in place
after a TCP connection has closed.

UDP (s):

This parameter specifies the length of time that a stateful inspection rule will remain in place
fol lowing the receipt of a UDP packet. The timer is restarted each time packets matching the
rule pass in each direction. As a consequence, rules based on UDP should only be used if it is
antici pated that packets will travel in both directions.

ICMP (s):

Some ICPM packets, such as “ECHO” requests, will generate responses. This parameter speci-
fies the length of time that a stateful inspection rule created in respect of an ICMP packet will
remain in place before being removed if a response packet has not been received. Such a rule
will also be removed immediately following the receipt of a response.

Other protocol (s):

If a stateful inspection rule is created from a packet type other that TCP, UDP or ICMP, this
param eter specifies the length of time for which the rule will persist. The timer is restarted each
time a packet is processed by the rule.

This manual is related to the following products: